Cyber breaches are hitting UK businesses according to a recently released commissioned report by the UK Government.

Following the high profile targeting of TalkTalk , Vodafone , Weatherspoons it is no surprise that large businesses are still the focus of cyber breaches …… the underlying message to these businesses is that they need to improve their cyber security programs in order to combat these threats.

Main Report Findings

1 in 4 large businesses encountered a breach once a month

Only one-third of all firms had a written security policy

Only 10% of all businesses had an incident response plan in place should a cyber attack occur

13% of all businesses set cyber security minimum standards for their suppliers

Only 20% of firms validate the providers of cloud computing services.

7 out of 10 of the attacks involved compromises by viruses, spyware or malware

Why has this happened ?

The report also highlighted the fact that many firms do not have cyber security programs in place that are in accordance with government guidance such as the Cyber Essentials Scheme and the “10 Steps Guide to Cyber Security”. This is must be a major concern to the Government as these two measures alone would install a good level of cyber security.

Cyber Essentials is generally more difficult to achieve for larger businesses as their systems tend to involve the use of bespoke software and its management. This certification is geared more to standardized systems which is more akin to SME’s . There is therefore a question here whether Cyber Essentials needs to be adapted to larger businesses?

Cyber Insurance

The report also makes reference to 37% of firms having in place some form of cyber insurance , this is either in the form of extensions to professional indemnity insurance policies or stand alone policy specific cyber insurance policies.

A concern raised by the report is that there is a lack of knowledge about what was covered under a cyber insurance policy and the insurance industry therefore has a role to play in helping businesses understand this form of insurance.

Cyber breaches will continue to impact on businesses unless they have a formal cyber security program in place to protect them from the increasingly sophisticated cyber attacks that can compromise a businesses.

Should we share cyber security information ?

Is this a good idea… there are very good reasons why we should share cyber security information and there are also reasons that perhaps it may not be such a good idea.

The current landscape seems to be moving towards the sharing of this confidential and sensitive information with regulation being imposed on both sides of the Atlantic in recent months to promote and encourage the sharing of cyber security information.

At the end of last year the EEC announced The Network and Information Security Directive(NIS) which is a security and reporting directive for companies in critical business sectors , namely transport , energy , health and finance. This is also applicable to the businesses such as Google and Amazon.

This Directive includes a requirement to report cyber security breaches which is aimed to encourage greater visibility of cyber crime and data breaches within companies and for companies to address their own cyber security.

It is anticipated that this will be ratified in the Spring, with implementation anticipated within the next two years.

In the US , also at the end of last year, the Cybersecurity Information Sharing Act (CISA) was passed by the Senate which allows companies to share cybersecurity threat data with the Department of Homeland Security (DHS) and other federal agencies. A number of bodies that already exist in the US which include the sharing of cybersecurity information . These include Enhanced Cybersecurity Services (ECS) which is a voluntary information sharing program and whose aim is to help better protect busineses customers and the National Cybersecurity and Communications Integration Centre (NCCIC) which shares information with public and private sector partners.

In the UK the Cyber-security Information Sharing Partnership (CiSP) exists which is part of CERT-UK . This is a joint industry government initiative set up to share cyber threat and vulnerability information in order to increase overall awareness of cyber threats and help mitigate the impact this may have on UK businesses.

The British Insurance Brokers Association ( BIBA) have recently endorsed (CiSP) to encourage insurance brokers to join CiSP to share the knowledge of over 4000 cyber-security professionals from over 1500 organisations. The government is also very keen that the insurance industry works closer with cyber security professionals and it is likely that we will see evidence of this in the future via associations and collaborations.

Let’s now review the positives and negatives of sharing cyber security information :-

Positives

It provides information to business on the latest forms of malware, spear phishing campaigns, and known malicious domains

Improvement in technology to combat the latest forms of security threats

Information derived from claims that insurers can assess / rate and improve the coverage under cyber insurance policies.

Assessment of insurers aggregation

Information to help insurers analyse cyber catastrophe models

Provision of knowledge to help anticipate future terrorists lead cyber attacks

Negatives

Possible release of confidential information of cyber attacks and data breaches to third parties

The information provided may impact on a company to carry out businesses with existing customers being concerned with poor cyber security measures.

Collateral damage to reputation of a business and impact on stock market share price

Hackers gain access to extremely sensitive data bases

Perceived by some that “big brother” is spying and will encourage surveillance of businesses

Inadvertent sharing of personally identifiable information

The cyber security industry also has an important role to play as they are arguably possess the greatest amount of cyber security data, this is no doubt considered valuable intellectual property and there would be a reluctance to readily share this to a wider audience without distribution to secure destinations.

The sharing of cyber security information is more advanced in the US than the EEC / Rest of the World and is reflective of two very differing cyber landscapes , with the US being more mature in terms of number and size of cyber security breaches and the existing litigation that helps drives notification.

The sharing of cybersecurity information definitely has a role to play in the development of the improvement of cyber security and the defence of cyber attacks that can threaten a business…… how it is shared is perhaps the current dilemma facing governments and regulators.

Data Breach – this can occur when you don’t know it and could be happening in your business right now …….

The average time before a data breach is detected in a business is 205 days and has been know to be as long as 8 years.

In the real world a bank robbery occurs in a matter of minutes , in the virtual world a compromise to your security and the gradual stealing of data could occur over many days and even years without you being aware.

It is therefore very important that a businesses has effective cyber security measures in place to combat and manage a potential data breach.

The key to this process centers around three main areas:-

The most up to date software or software that is regularly patched.

Effective risk management procedures which are constantly reviewed and supported by management at all levels.

Regularly updated business continuity /disaster recovery plans.

With this in place it increases the chances of discovering a compromise of your computer systems at an early stage…. – it is very unlikely that you will achieve 100% certainty.

Once discovered it is vitally important that the management of a data breach is carried out in a prompt and organised fashion . If it is not it could make the difference between a business surviving and not being a viable entity post data breach.

A cyber liability insurance policy can help mitigate the impact of a data breach by providing the following benefits:-

Crisis Management – this involves the appointment of a crisis management consultant to assess and manage the data breach.

Public Relations Costs – the purpose of a PR consultant is to manage the data breach in the public domain so that reputational damage can be minimal.

Call Center Costs – the utilization of a call center will assist in the additional costs incurred in the management of customers concerns about the possible loss of personal information and notification of the incident.